[glib/wip/tingping/pkcs11] gtlscertificate: Add pkcs11 URI properties and constructor



commit 451ead0479aefe2f33b3c5ad1d31c1dea5f47db2
Author: Patrick Griffis <pgriffis igalia com>
Date:   Wed Jun 19 09:10:52 2019 -0700

    gtlscertificate: Add pkcs11 URI properties and constructor

 docs/reference/gio/gio-sections.txt |   1 +
 gio/gtlscertificate.c               | 112 +++++++++++++++++++++++++++++++++++-
 gio/gtlscertificate.h               |   5 ++
 gio/tests/gtesttlsbackend.c         |  12 +++-
 gio/tests/tls-certificate.c         |  16 ++++++
 5 files changed, 142 insertions(+), 4 deletions(-)
---
diff --git a/docs/reference/gio/gio-sections.txt b/docs/reference/gio/gio-sections.txt
index 6aa07b462..61c3e0b76 100644
--- a/docs/reference/gio/gio-sections.txt
+++ b/docs/reference/gio/gio-sections.txt
@@ -3731,6 +3731,7 @@ GTlsCertificate
 g_tls_certificate_new_from_pem
 g_tls_certificate_new_from_file
 g_tls_certificate_new_from_files
+g_tls_certificate_new_from_pkcs11_uris
 g_tls_certificate_list_new_from_file
 g_tls_certificate_get_issuer
 g_tls_certificate_verify
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index 72de5eb1f..827c2b21a 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -60,7 +60,9 @@ enum
   PROP_CERTIFICATE_PEM,
   PROP_PRIVATE_KEY,
   PROP_PRIVATE_KEY_PEM,
-  PROP_ISSUER
+  PROP_ISSUER,
+  PROP_PKCS11_CERTIFICATE_URI,
+  PROP_PKCS11_PRIVATE_KEY_URI,
 };
 
 static void
@@ -74,7 +76,16 @@ g_tls_certificate_get_property (GObject    *object,
                                GValue     *value,
                                GParamSpec *pspec)
 {
-  G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+  switch (prop_id)
+    {
+      case PROP_PKCS11_CERTIFICATE_URI:
+      case PROP_PKCS11_PRIVATE_KEY_URI:
+        /* Subclasses must override this property but this allows older backends to not fatally error */
+        g_value_set_static_string (value, NULL);
+        break;
+      default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+    }
 }
 
 static void
@@ -83,7 +94,14 @@ g_tls_certificate_set_property (GObject      *object,
                                const GValue *value,
                                GParamSpec   *pspec)
 {
-  G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+  switch (prop_id)
+    {
+      case PROP_PKCS11_CERTIFICATE_URI:
+      case PROP_PKCS11_PRIVATE_KEY_URI:
+        break;
+      default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+    }
 }
 
 static void
@@ -193,6 +211,43 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
                                                        G_PARAM_READWRITE |
                                                        G_PARAM_CONSTRUCT_ONLY |
                                                        G_PARAM_STATIC_STRINGS));
+
+  /**
+   * GTlsCertificate:pkcs11-certificate-uri:
+   *
+   * A URI referencing the PKCS \#11 object containing a X.509 certificate.
+   *
+   * If %NULL the certificate is either not backed by PKCS \#11 or the
+   * #GTlsBackend does not support PKCS \#11.
+   *
+   * Since: 2.62
+   */
+  g_object_class_install_property (gobject_class, PROP_PKCS11_CERTIFICATE_URI,
+                                  g_param_spec_string ("pkcs11-certificate-uri",
+                                                       P_("PKCS #11 certificate URI"),
+                                                       P_("The PKCS #11 URI for the certificate"),
+                                                       NULL,
+                                                       G_PARAM_READWRITE |
+                                                       G_PARAM_CONSTRUCT_ONLY |
+                                                       G_PARAM_STATIC_STRINGS));
+
+
+  /**
+   * GTlsCertificate:pkcs11-private-key-uri:
+   *
+   * A URI referencing the PKCS \#11 object containing a private key.
+   *
+   * Since: 2.62
+   */
+  g_object_class_install_property (gobject_class, PROP_PKCS11_PRIVATE_KEY_URI,
+                                  g_param_spec_string ("pkcs11-private-key-uri",
+                                                       P_("PKCS #11 private key URI"),
+                                                       P_("The PKCS #11 URI for the private key"),
+                                                       NULL,
+                                                       G_PARAM_READWRITE |
+                                                       G_PARAM_CONSTRUCT_ONLY |
+                                                       G_PARAM_STATIC_STRINGS));
+
 }
 
 static GTlsCertificate *
@@ -591,6 +646,57 @@ g_tls_certificate_new_from_files (const gchar  *cert_file,
   return cert;
 }
 
+/**
+ * g_tls_certificate_new_from_pkcs11_uris:
+ * @certificate_uri: A PKCS \#11 URI for the X.509 certificate
+ * @private_key_uri: (nullable): A PKCS \#11 URI for a private key
+ * @error: #GError for error reporting, or %NULL to ignore.
+ *
+ * Creates a #GTlsCertificate from PKCS \#11 URIs. @certificate_uri
+ * must not be pin protected. This function does not ensure
+ * @private_key_uri points to a valid object and may fail or
+ * require a PIN at later usage.
+ *
+ * Returns: the new certificate, or %NULL on error
+ *
+ * Since: 2.62
+ */
+GTlsCertificate *
+g_tls_certificate_new_from_pkcs11_uris (const gchar  *certificate_uri,
+                                        const gchar  *private_key_uri,
+                                        GError      **error)
+{
+  GObject *cert;
+  GTlsBackend *backend;
+
+  g_return_val_if_fail (certificate_uri, NULL);
+
+  backend = g_tls_backend_get_default ();
+
+  cert = g_initable_new (g_tls_backend_get_certificate_type (backend),
+                         NULL, error,
+                         "pkcs11-certificate-uri", certificate_uri,
+                         "pkcs11-private-key-uri", private_key_uri,
+                         NULL);
+
+  if (cert != NULL)
+    {
+      gchar *objects_uri;
+
+      /* Old implementations might not override this property */
+      g_object_get (cert, "pkcs11-certificate-uri", &objects_uri, NULL);
+      if (objects_uri == NULL)
+        {
+          g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, "This GTlsBackend does not 
support creating PKCS #11 certificates");
+          g_object_unref (cert);
+          return NULL;
+        }
+      g_free (objects_uri);
+    }
+
+  return G_TLS_CERTIFICATE (cert);
+}
+
 /**
  * g_tls_certificate_list_new_from_file:
  * @file: (type filename): file containing PEM-encoded certificates to import
diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h
index a064543c4..d572828d0 100644
--- a/gio/gtlscertificate.h
+++ b/gio/gtlscertificate.h
@@ -71,6 +71,11 @@ GLIB_AVAILABLE_IN_ALL
 GTlsCertificate      *g_tls_certificate_new_from_files     (const gchar         *cert_file,
                                                            const gchar         *key_file,
                                                            GError             **error);
+GLIB_AVAILABLE_IN_2_62
+GTlsCertificate      *g_tls_certificate_new_from_pkcs11_uris (const gchar        *certificate_uri,
+                                                              const gchar        *private_key_uri,
+                                                              GError            **error);
+
 GLIB_AVAILABLE_IN_ALL
 GList                *g_tls_certificate_list_new_from_file (const gchar         *file,
                                                            GError             **error);
diff --git a/gio/tests/gtesttlsbackend.c b/gio/tests/gtesttlsbackend.c
index 157a4a3f3..b223dbf9c 100644
--- a/gio/tests/gtesttlsbackend.c
+++ b/gio/tests/gtesttlsbackend.c
@@ -91,6 +91,7 @@ struct _GTestTlsCertificate {
   gchar *key_pem;
   gchar *cert_pem;
   GTlsCertificate *issuer;
+  gchar *pkcs11_certificate_uri;
 };
 
 struct _GTestTlsCertificateClass {
@@ -103,7 +104,8 @@ enum
   PROP_CERT_CERTIFICATE_PEM,
   PROP_CERT_PRIVATE_KEY,
   PROP_CERT_PRIVATE_KEY_PEM,
-  PROP_CERT_ISSUER
+  PROP_CERT_ISSUER,
+  PROP_CERT_PKCS11_CERTIFICATE_URI,
 };
 
 static void g_test_tls_certificate_initable_iface_init (GInitableIface *iface);
@@ -141,6 +143,9 @@ g_test_tls_certificate_get_property (GObject    *object,
     case PROP_CERT_ISSUER:
       g_value_set_object (value, cert->issuer);
       break;
+    case PROP_CERT_PKCS11_CERTIFICATE_URI:
+      g_value_set_string (value, cert->pkcs11_certificate_uri);
+      break;
     default:
       g_assert_not_reached ();
       break;
@@ -166,6 +171,9 @@ g_test_tls_certificate_set_property (GObject      *object,
     case PROP_CERT_ISSUER:
       cert->issuer = g_value_dup_object (value);
       break;
+    case PROP_CERT_PKCS11_CERTIFICATE_URI:
+      cert->pkcs11_certificate_uri = g_value_dup_string (value);
+      break;
     case PROP_CERT_CERTIFICATE:
     case PROP_CERT_PRIVATE_KEY:
       /* ignore */
@@ -183,6 +191,7 @@ g_test_tls_certificate_finalize (GObject *object)
 
   g_free (cert->cert_pem);
   g_free (cert->key_pem);
+  g_free (cert->pkcs11_certificate_uri);
   g_clear_object (&cert->issuer);
 
   G_OBJECT_CLASS (g_test_tls_certificate_parent_class)->finalize (object);
@@ -205,6 +214,7 @@ g_test_tls_certificate_class_init (GTestTlsCertificateClass *test_class)
   g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY, "private-key");
   g_object_class_override_property (gobject_class, PROP_CERT_PRIVATE_KEY_PEM, "private-key-pem");
   g_object_class_override_property (gobject_class, PROP_CERT_ISSUER, "issuer");
+  g_object_class_override_property (gobject_class, PROP_CERT_PKCS11_CERTIFICATE_URI, 
"pkcs11-certificate-uri");
 }
 
 static void
diff --git a/gio/tests/tls-certificate.c b/gio/tests/tls-certificate.c
index e1ba23737..f8bf02483 100644
--- a/gio/tests/tls-certificate.c
+++ b/gio/tests/tls-certificate.c
@@ -398,6 +398,19 @@ list_from_file (const Reference *ref)
   g_assert_cmpint (g_list_length (list), ==, 0);
 }
 
+static void
+from_pkcs11_uri (void)
+{
+  GError *error = NULL;
+  GTlsCertificate *cert;
+
+  cert = g_tls_certificate_new_from_pkcs11_uris 
("pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-bundle.crt", NULL, &error);
+  g_assert_no_error (error);
+  g_assert_nonnull (cert);
+
+  g_object_unref (cert);
+}
+
 int
 main (int   argc,
       char *argv[])
@@ -464,6 +477,9 @@ main (int   argc,
                         &ref, (GTestDataFunc)from_files_pkcs8enc);
   g_test_add_data_func ("/tls-certificate/list_from_file",
                         &ref, (GTestDataFunc)list_from_file);
+  g_test_add_func ("/tls-certificate/pkcs11-uri",
+                   from_pkcs11_uri);
+
 
   rtv = g_test_run();
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]